With a tool so widely used by so many different types of people like the
World Wide Web, it is necessary for everyone to understand as many aspects as
possible about its functionality. From web designers to web developers to web
users, this is a must read. Security is a job for everyone and How To
Break Web Software by Mike Andrews and James A. Whittaker is written for
everyone to understand.

Although this book may be geared more towards the developer, it is really a
book for everyone. As I mentioned before, security is everyone's
responsibility. The ideas, concepts, and procedures outlined in this book are
things that even just the average user should be able to pick up on and alert
the webmaster of in order to prevent potential disaster.

It is necessary to keep in mind that this book, although seemingly full of
information on how to attack web sites and bring down servers is for
informational and educational purposes. It is to inform the developers of
common programming and design mistakes. It is also to ensure that common users
with no malicious intent can spot problems in design and nip them in the bud
before the problems become catastrophic.

Summary:

The book begins by very basically showing the reader in no uncertain terms
the basic concepts that are going to be outlined through the book. The first
idea to geteveryone on the same page with client-server relationships and
general information about the world wide web.

One of the most important aspects of an attack is knowing your victim. The
first informational chapter in this book discusses gathering information on
a potential target. Just as with all forthcoming chapters, this one begins
with the obvious information and progresses into the more obscure, less thought
about topics.

Once the information has been gathered, either via source code, URLs, or
any other method that potentially puts information out in the open, the
attacks can begin. There are many way in which these attacks can happen. The
authors begin by discussing attacks on the user (client) input and how validation needs to
occur or the input needs to be sanitized. They then move on to talk about
state based attacks, either through CGI parameters or hidden fields within
forms. These ideas were also extended to discuss cookie poisoning, URL
jumping, and session hijacking (can also include man in the middle attacks).
Without all this information consistently being checked and verified, it is
possible to for those with malintent to inject information into a session.

Another set of attacks that are covered are language attacks. These can also
occur as a result of poor or total lack of input validation. These languages
include CSS, XSS (Cross Site Scripting for any number of languages), C, C++, or
SQL, to name just a few. It is to be noted that attacks via SQL involves
attacking the server and having a little knowledge about databases, queries, and
the way that databases function. Next, the authors discuss
authentication and cryptography. They make it a point to prove to the reader
and users that not just any cryptography will do and that only proven tried and
true methods are acceptable for public use.

The book then goes into discussing privacy issues. It discusses identifying
information such as the referrer logs, agent logs, web bugs, clipboard access
(via Javascript), and cached pages. It then finishes up by discussing various
types of web services (including XML, SOAP, WSDL, and UDDI) and the inherent
problems that can be around using each one of them. The set of tools outlines
at the end of the book to help in bug testing web software is an excellent
compilation.

Opinion:

Software testing and implementation theories have been around for a long
time. There has also been numerous writings, journals, and theories published
on how things should and shouldn't be done. Mike Andrews and James Whittaker do
an excellent job of outlining the potential shortcomings of web programming.
This is an excellent jumping off point for anyone beginning on the security side
of web design.

To me, the most enjoyable part of the book is where the authors discuss the
"Key Principals for Quality" over the fifty years of software design. I think
they should have put that as part of the introduction to outline their point of
view on testing as a necessary part of the design phase (which should be a more
widely shared view point). Other than that, I believe that this is an excellent
all around reference and should be read by those involved in all aspects of the
world wide web.

I am having the hardest time finding reliable, drawn out information on any Linux site I have been to. I think it would be very useful, not just for students, for every one to have a site to visit that a list of general information on Linux. I am very determined to find information about Linux, but this lack of information is getting on my nerves. Please Help US!!!!